July 31, 2017 – A recent KPMG survey found that the healthcare industry has experienced an increase in healthcare cyberattacks and data loss since 2015.
The healthcare executives polled stated that while they are more prepared than ever, they still experienced an increase in cyberattacks.
“Healthcare payers and providers are on treacherous ground here and some organizations are underestimating cyber-security risks,” Healthcare Advisory Leader Dion Sheidy said in a statement.
“There needs to be a higher degree of vigilance among boards and executive suites as attacks become much more sophisticated, especially as doctors need to share information to improve quality and as connected medical devices and wearables proliferate,” Sheidy continued. “The WannaCry ransomware hack in May was a warning shot against our collective ability to protect patient safety and privacy.”
Forty-seven percent of the healthcare organizations surveyed stated that they had security-related HIPAA violations or cyberattacks in 2017, which is up from the 37 percent who reported similar events in 2015.
Thirty-five percent of respondents said that they were “completely ready” to defend their clinical data from a cyberattack, which is much greater than the 16 percent who reported the same thing in 2015. The survey also investigated why healthcare are more confident in their security infrastructure in the face of more frequent and successful cyberattacks.
Sharing data with third parties has increased over the past several years and was identified as one of the biggest vulnerabilities. Data sharing was seen as more of a risk than internet-enabled devices that are not fully controlled by the IT department and lack of resources or budget.
“Despite the rising threats cyber security as a board agenda item has declined over the past two years (79 percent versus 87 percent in 2015),” said survey authors. “In addition, KPMG found a disconnect regarding cyber investment in this volatile environment. A smaller majority of healthcare companies made investments in information protection in the prior twelve months (66 percent versus 88 percent in the 2015 survey).”
The survey also touched on the potential threats medical Internet of Things (IoT) devices can bring to healthcare networks. The more devices entities add to their networks, the more potential vulnerabilities hackers can take advantage of.
The survey noted that many healthcare organizations are engaging their patients through apps and online portals, which can leave the network vulnerable to hacks from outside the network.
“Drug and medical device makers have significant volumes of valuable financial and clinical information,” said Life Sciences Advisory Leader Alison Little. “Recent cyber events targeting the life sciences industry demonstrate that market capitalization can be immediately eroded depending on the nature of the cyber-attack and extent of damage.”
The survey asked medical device makers what their top security priorities are when designing devices for the IoT. Thirty-six percent said better technology was their top priority, followed by an overarching strategy on data collection/protection (28 percent).
Healthcare organizations saw a complete and overarching strategy as the biggest and most immediate cybersecurity need to improve network security. However, survey analysis noticed a lack of concern for staffing.
“A solid cyber security program needs people, processes and technology and short-changing staff and the process structure needed to adequately govern, manage and monitor the technology is a faulty approach,” KPMG Cyber Security Group in Healthcare & Life Sciences Leader Michael Ebert said in a statement.
“Software can only protect you so far and staff is important when it comes time to respond to a data breach,” Ebert continued. “The respondents that are not emphasizing staff and processes are underestimating the threats or creating a false sense of security among their management and board.”
Healthcare organizations need to look at the big picture when it comes to cybersecurity. Focusing on one area is not enough.
Organizations need to make sure the network is secure, the devices accessing the network are secure, and that the IT staff is experienced enough to detect a potential threat before data is lost.